SSL certificate status still expired after successful renewal

My domain is:

I ran this command: certbot renew

It produced this output:
root@ip-172-31-37-234:/etc/letsencrypt/renewal# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2022-07-07 16:19:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2022-07-07 16:19:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

My web server is (include version): certbot --version
certbot 0.31.0

The operating system my web server runs on is (include version): ubuntu at EC2 AWS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): YES

I don't know why renewal didn't apply to the site.
Also new keys were generated under not under
Can you please help? Thanks.

1 Like

Certbot renewed the certificate but the webserver doesn't know that yet.

What's your webserver? How did you install your certificate?

Two certificates for two different hostnames: www and non-www are different.


And did you reload the webserver after renewal? Depending on how you're using Certbot, Certbot may or may not have done this for you already.

certbot renew does not generate new certificates, so you must have done something in the past which has generated the -0001 certificate.

Both certificates currently have just a single hostname in them. You could have combined both hostnames in a single certificate earlier when you've generated these certs.

From your certificate history at | it seems you did have a certificate combining both hostnames in the past up until the end of 2021. But for some reason, on 2021-12-28 a certificate was generated for just You or someone else has managed to generate FIVE identical certificates on that date for some reason, probably running into the duplicate certificates rate limit. And after that a cert with just the www subdomain was generated. And from then on, both certificates seem to have been in use. Although on 2022-01-05 again a duplicate certificate was issued for instead of just a single renewal.. Not sure why that happened..


yes I did stop and restart the webserver. how can I reload?
and last month, the renewal didn't work so I had to revoke and use 'certbot certonly' to create one again.
What should I do to resolve this issue?

1 Like

I meant (not last month), last time in Jan 2022. we need to renew both www and non-www domain's ssh.

1 Like

the main webserver is under and looks like were renewed as well.
and How can I remove -0001 and create keys under domain name? Thanks.

1 Like

That gets a certificate but does not install it.

You might want to try with certbot install


a) You should have fixed any issue back then, it seems using certonly was just a temporary workaround
b) Revoking is almost NEVER necessary. It is NOT useful when you're having issues with getting a certificate AT ALL... :frowning:


Should I remove directories for all related to ''?
or should I keep them and just run 'certbot install'.
Last 12 months I was able to use 'renew' and it had been working.

'renew' has any limit too?

Do not remove those directories.

You have two certificates for two different domain names, right now: and

You need both, or you can get another certificate with both domain names. You have to configure your webserver (apache?) for both names and certbot will pick it up. Otherwise, you have to install both.


Thanks for the quick response. 9peppe.
I understood that the certificates are valid for both domains.
The issue is from the webserver? but I didn't change anything on webserver side (node js) and it had been working before the ssh expiration.
I am running out of options to try out.


Did you move the certificate to install it?


Please show the Node.js configuration for your certificate(s).



Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?



Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 2

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Keeping the existing certificate

Problem in /etc/nginx/sites-enabled/default: tried to insert directive "['ssl_certificate', '/var/lib/letsencrypt/snakeoil/0002_cert.pem']" but found conflicting "['ssl_certificate', '/etc/letsencrypt/live/']".


- Unable to install the certificate

  • Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


Your cert will expire on 2022-07-07. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew all of

your certificates, run "certbot renew"

Hi, Osiris.

Is that what your are asking about Node.js configuration?

// Make server
var server = new Hapi.Server();

    // NEW HTTPS : Green Lock
    var greenlock = require('greenlock-hapi').create({
            version: 'draft-11' // Let's Encrypt v2
            , server: ''
            , email: ‘'
            , agreeTos: true
            , approveDomains:['', '']  
            , communityMember: true

            , configDir: '/etc/letsencrypt'
            , challenges: {
                'http-01': leHttpChallenge                            // handles /.well-known/acme-challege keys and tokens
            , challengeType: 'http-01'                                // default to this challenge type
            , agreeToTerms: leAgree                                   // hook to allow user to view and accept LE TOS
            // debug: true        });

The message are conflicting. First, Unable to install the certificate.. Then Congrats, your cerificate ... are saved.?

You do realize these are two different acme clients, right?

You only need one.


sorry I am not following about your above comment 9peppe. can you explain whare are two difference acme clients?

An ACME client is a software you use to interact with Let's Encrypt to ask for and get a certificate.

Both Certbot and greenlock are ACME clients, and you usually only need one of them.

You need to think about how your application is using the certificates and where the config for the TLS server is.


I'm confused too.. Are you running a Node.js webserver or nginx?!?